CISM Definitions Flashcards

1
Q

_____ is a binary-to-text encoding process that converts long bit sequences into
alphanumeric text.

A

Base64 Encoding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Description of the logical grouping of capabilities that manage the objects necessary to process
information and support the enterprise’s objectives.

A

Application architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A tool for managing organizational strategy that uses weighted measures for the areas of financial
performance (lag) indicators, internal operations, customer measurements, learning and growth
(lead) indicators, combined to rate the enterprise

A

Business balanced scorecard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An application software deployed at multiple points in an IT architecture. It is designed to detect and
potentially eliminate virus code before damage is done and repair or quarantine files that have
already been infected.

A

Antivirus software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Logical and physical controls to define a perimeter between the organization and the outside world

A

Boundary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Preventing, mitigating and recovering from disruption

A

Continuity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The translation of the enterprise’s mission from a statement of intention into performance targets
and results

A

Business goal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An algorithm to perform encryption

A

Cipher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes.

A

Bus configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The technique used for selecting records in a file, one at a time, for processing, retrieval or
storage.The access method is related to, but distinct from, the file organization, which determines
how the records are stored.

A

Access Method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

_____ is a way to identify, acquire and retain customers. _____ is also an industry term for software solutions
that help an enterprise manage customer relationships in an organized manner.

A

Customer relationship management (CRM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Any process that directly reduces a threat or vulnerability.

A

Countermeasure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing.

A

Abend

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A mechanism that is used to isolate applications from each other within the context of a running
operating system instance.

A

Application containerization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The examination of ratios, trends, and changes in balances and other values between periods to
obtain a broad understanding of the enterprise’s financial or operational position and to identify
areas that may require further or closer investigation

A

Analytical technique

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Automatic or manual process designed and established to continue critical business processes from point-of-failure to return-to-normal.

A

Alternative routing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The process of cost allocation that assigns the original cost of an intangible asset to the periods benefited; calculated in the same way as depreciation.

A

Amortization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A third party that delivers and manages applications and computer services, including security
services to multiple users via the Internet or a private network.

A

Application or managed service provider (ASP/MSP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Device that performs the functions of both a bridge and a router.

A

Brouter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

An internal computerized table of access rules regarding the levels of computer access permitted to logon ID and computer terminals. Also referred to as conrol tables

A

Access Control List (ACL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A program that translates programming language (source code) into machine executable instructions
(object code).

A

Compiler

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A method/process by which management and staff of all levels collectively identify and evaluate risk
and controls with their business areas. This may be under the guidance of a facilitator such as an
auditor or risk manager.

A

Control risk self-assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A. storage capacity and shelf life.
B. regulatory and legal requirements.
C. business strategy and direction.
D. application systems and media.
A

Answer : D
Explanation: Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and
shelf life are important but secondary issues

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives.

A

Balanced scorecard (BSC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A public algorithm that operates on plaintext in blocks (strings or groups) of bits

A

Cipher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

An internal computerized table of access rules regarding the levels of computer access permitted to
logon IDs and computer terminals.

A

Access control table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

A process for protecting very-high value assets or in environments where trust is an issue. Access to
an asset requires two or more processes, controls or individuals.

A

Compartmentalization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message

A

Asymmetric key (public key)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

A trusted third party that serves authentication infrastructures or enterprises and registers entities
and issues them certificates

A

Certificate (Certification) authority (CA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact
of losing the support of any resource to an enterprise, establishes the escalation of that loss over
time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes
and the supporting system

A

Business impact analysis/assessment (BIA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The process of establishing the effective design and operation of automated controls within an
application.

A

Application benchmarking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

The individual accountable for delivering the benefits and value of an IT-enabled business investment
program to the enterprise.

A

Business sponsor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q
A method of user authentication that is carried out through use of the Challenge Handshake
Authentication Protocol (CHAP).
A

Challenge/response token

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

An alternate facility to continue IT/IS operations when the primary data processing (DP) center is unavailable.

A

Backup center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

The system by which enterprises are directed and controlled. The board of directors is responsible for
the governance of their enterprise. It consists of the leadership and organizational structures and
processes that ensure the enterprise sustains and extends strategies and objectives.

A

Corporate Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A public algorithm that supports keys from 128 bits to 256 bits in size

A

Advanced Encryption Standard (AES)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

The thorough analysis and significant redesign of business processes and management systems to
establish a better performing structure, more responsive to the customer base and market
conditions, while yielding material cost savings.

A

Business process reengineering (BPR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

The policies, procedures, practices and organizational structures designed to provide reasonable
assurance that a business process will achieve its objectives.

A

Business process control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

The individual, group or entity that is ultimately responsible for a subject matter, process or
scope.

A

Accountable party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

The processes, rules, and deployment mechanisms that control access to the information systems, resources, and physical access to premises

A

Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

The risk of reaching an incorrect conclusion based upon audit findings.

A

Audit risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

A type of challenge-response test used in computing to ensure that the response is not generated by
a computer. An example is the site request for web site users to recognize and type a phrase posted
using various challenging-to-read fonts

A

Completely Automated Public Touring test to tell Computers and Humans Apart (CAPTCHA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly
by the receiver without errors, or that the receiver is now ready to accept a transmission.

A

Acknowledgment (ACK)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

This approach allows IS auditors to monitor system reliability on a continuous basis and to gather
selective audit evidence through the computer.

A

Continuous audit approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Process of developing advance arrangements and procedures that enable an enterprise to respond to
an event that could occur by chance or unforeseen circumstances.

A

Contingency Planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

The highest ranking individual in an enterprise

A

Chief executive officer (CEO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

The policies, procedures, practices and organizational structures designed to provide reasonable
assurance that the business objectives will be achieved and undesired events will be prevented or
detected.

A

Business control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

An IS backup facility that has the necessary electrical and physical components of a computer facility,
but does not have the computer equipment in place.

A

Cold site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

The individual primarily responsible for managing the financial risk of an enterprise.

A

Chief financial officer (CFO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Which of the following is the BEST method or technique to ensure the effective
implementation of an information security program?
A. Obtain the support of the board of directors.
B. Improve the content of the information security awareness program.
C. Improve the employees’ knowledge of security policies.
D. Implement logical access controls to the information systems.

A

Answer : A
Explanation: It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Options B and (‘ are measures proposed to ensure the efficiency of the information security program implementation, but are of less
significance than obtaining the aid and support of the board of directors. Option D is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business
strategies, and planning, resourcing and managing the delivery of IT services, information and the
deployment of associated human resources

A

Chief information officer (CIO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Common path or channel between hardware devices.

A

Bus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

A statement of the desired result or purpose to be achieved by implementing control procedures in a
particular process.

A

Control objective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

A catalogue of attack patterns as “an abstraction mechanism for helping describe how an attack
against vulnerable systems or networks is executed” published by the MITRE Corporation

A

Common Attack Pattern Enumeration and Classification (CAPEC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

The consolidation in 1998 of the “Cadbury,” “Greenbury” and “Hampel” Reports

A

Combined Code on Corporate Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q
An outcome of effective security governance is:
A. business dependency assessment
B. strategic alignment.
C. risk assessment.
D. planning
A

Answer : B
Explanation: Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management. Strategic alignment is an outcome of effective security governance. Where there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

The existing description of the fundamental underlying design of the components of the business
system before entering a cycle of architecture review and redesign

A

Baseline architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Any formal declaration or set of declarations about the subject matter made by management.

A

Assertion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

The means of managing risk, including policies, procedures, guidelines, practices or organizational
structures, which can be of an administrative, technical, management, or legal
nature

A

Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

A service that connects programs running on internal networks to services on exterior networks by
creating two connections, one from the requesting client and another to the destination service

A

Application proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

______ is a binary-to-text encoding process that converts long bit sequences into
alphanumeric text, which is easier for users

A

Base58 Encoding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Who is ultimately responsible for the organization’s information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)

A

Answer : C
Explanation: The board of directors is ultimately responsible for the organization’s information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management’s directives. The
chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization’s information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

The Committee on the Financial Aspects of Corporate Governance, set up in May 1991 by the UK
Financial Reporting Council, the London Stock Exchange and the UK accountancy profession, was
chaired by Sir Adrian Cadbury and produced a report on the subject commonly known in the UK as
the Cadbury Report.

A

Cadbury

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage.

A

Batch control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

A proven activity or process that has been successfully used by multiple enterprises.

A

Best practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Formal inspection and verification to check whether a standard or set of guidelines is being followed,
records are accurate, or efficiency and effectiveness targets are being met

A

Audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Automatic or manual process designed and established to continue critical business processes from
point-of-failure to return-to-normal.

A

Alternate process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

A process to determine the impact of losing the support of any resource.

A

Business impact analysis

69
Q

Adherence to, and the ability to demonstrate adherence to, mandated requirements defined by laws
and regulations, as well as voluntary requirements resulting from contractual obligations and internal
policies

A

Compliance

70
Q

A recovery strategy that involves two active sites, each capable of taking over the other’s workload in
the event of a disaster.

A

Active recovery site (Mirrored)

71
Q

A legal principle regarding the validity and integrity of evidence. It requires accountability for
anything that will be used as evidence in a legal proceeding to ensure that it can be accounted for
from the time it was collected until the time it is presented in a court of
law

A

Chain of custody

72
Q

The net effect, positive or negative, on the achievement of business objectives.

A

Business impact

73
Q

Senior management commitment and support for information security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risks to the organization.
C. evaluate the organization against best security practices.
D. tie security risks to key business objectives.

A

Answer : D
Explanation: Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.

74
Q

Description of the fundamental underlying design of the components of the business system, or of
one element of the business system (e.g., technology), the relationships among them, and the
manner in which they support enterprise objectives.

A

Architecture

75
Q

Provides centralized access control for managing remote access dial-up services

A

Access server

76
Q

A type of malicious exploit of a web site whereby unauthorized commands are transmitted from a
user that the web site trusts (also known as a one-click attack or session riding); acronym pronounced
“sea-surf”.

A

Cross-site request forgery (CSRF)

77
Q

Most implementations of asymmetric ciphers combine a widely distributed public key and a closely held, protected private key.

A

Asymmetric cipher

78
Q

Method to select a portion of a population based on the presence or absence of a certain
characteristic

A

Attribute sampling

79
Q

A process of identifying resources critical to the operation of a business process.

A

Business dependency assessment

80
Q

Any event, whether anticipated (i.e., public service strike) or unanticipated (i.e., blackout) that
disrupts the normal course of business operations at an enterprise.

A

Business interruption

81
Q

A document approved by those charged with governance that defines the purpose, authority and
responsibility of the internal audit activity

A

Audit Charter

82
Q

A term derived from “robot network;” is a large automated and distributed network of previously
compromised computers that can be simultaneously controlled to launch large-scale attacks such as a
denial-of-service attack on selected victims

A

Botnet

83
Q

A probable situation with uncertain frequency and magnitude of loss (or gain).

A

Business Risk

84
Q

An instrument for checking the continued validity of the certificates for which the certification
authority (CA) has responsibility

A

Certificate revocation list (CRL)

85
Q
The MOST complete business case for security solutions is one that.
A. includes appropriate justification.
B. explains the current risk profile.
C. details regulatory requirements.
D. identifies incidents and losses
A

Answer : A
Explanation: Management is primarily interested in security solutions that can address risks in the most cost-effective way. To address the needs of an organization, a business case should address appropriate security solutions in line with the organizational strategy.

86
Q

The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence
to regulations and management policies.

A

Administrative control

87
Q

A class of algorithms that repeatedly try all possible combinations until a solution is found.

A

Brute force

88
Q

Component of an infrastructure-or an item, such as a request for change, associated with an infrastructure-which is (or is to be) under the control of configuration
management

A

Configuration Item (CI)

89
Q

A further development of the business goals into tactical targets and desired results and outcomes.

A

Business objective

90
Q

The art of designing, analyzing and attacking cryptographic schemes

A

Cryptography

91
Q

Measure of interconnectivity among structure of software programs. Coupling depends on the
interface complexity between modules.

A

Coupling

92
Q

The method used to identify the location of a participant in a network.

A

Addressing

93
Q

The main actions taken to operate the COBIT process.

A

Activity

94
Q
Interfaces at the physical layer of the open systems interconnection (OSI) reference model, data
terminal equipment (DTE) to data circuit terminating equipment (DCE), for switched carrier networks
A

Channel service unit/digital service unit (CSU/DSU)

95
Q

A plan used by an enterprise or business unit to respond to a specific systems failure or disruption

A

Contingency Plan

96
Q

A means of regaining access to a compromised system by installing software or configuring existing
software to enable remote access under attacker-defined conditions

A

Backdoor

97
Q

Testing an application with large quantities of data to evaluate its performance during peak periods.
Also called volume testing.

A

Capacity Stress Testing

98
Q

A type of injection, in which malicious scripts are injected into otherwise benign and trusted web
sites

A

Cross-site scripting (XSS)

99
Q

The point in an emergency procedure when the elapsed time passes a threshold and the interruption
is not resolved.

A

Alert situation

100
Q

The maximum period of time that a system can be unavailable before compromising the achievement of the enterprise’s business objective

A

Acceptable interruption window

101
Q

The boundary defining the scope of control authority for an entity

A

Control perimeter

102
Q

Preserving authorized restrictions on access and disclosure, including means for protecting privacy
and proprietary information.

A

Confidentiality

103
Q

The PRIMARY benefit of performing an information asset classification is to:
A. link security requirements to business objectives.
B. identify controls commensurate to risk.
C. define access rights.
D. establish ownership

A

Answer : B
Explanation: All choices are benefits of information classification. However, identifying controls that are proportional to the risk in all cases is the primary benefit of the process

104
Q

Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle

A

Business case

105
Q

A test that has been designed to evaluate the performance of a system

A

Benchmark

106
Q

Unusual or statistically rare.

A

Anomaly

107
Q

A recurring journal entry used to allocate revenues or costs

A

Allocation entry

108
Q

A distributed, protected journaling and ledger system. Use of blockchain technologies can enable
anything from digital currency (e.g. Bitcoin) to any other value-bearning transaction.

A

Blockchain

109
Q

The control of changes to a set of configuration items over a system life cycle.

A

Configuration Management

110
Q

Data that is not encrypted. Also known as plaintext

A

Cleartext

111
Q

A plan containing the nature, timing and extent of audit procedures to be performed by
engagement team members in order to obtain sufficient appropriate audit evidence to form an
opinion.

A

Audit Plan

112
Q

The risk that a material error exists that would not be prevented or detected on a timely basis by the
system of internal controls

A

Control Risk

113
Q

A policy that establishes an agreement between users and the enterprise and defines for all parties the range of use that are approved before gaining access to a network or the internet

A

Acceptable Use Policy

114
Q

Contains the essential elements of effective processes for one or more disciplines.It also describes
an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes
with improved quality and effectiveness

A

Capability Maturity Model (CMM)

115
Q

In the Open Systems Interconnection (OSI) communications model, the application layer provides
services for an application program to ensure that effective communication with another application
program in a network is possible

A

Application layer

116
Q

Responsible for coordinating the planning, development, implementation, maintenance and
monitoring of the information security program.

A

Corporate Security Officer (CSO)

117
Q

The permission or privileges granted to users, programs or workstations to create, change, delete or
view data and files within a system, as defined by rules established by data owners and the
information security policy.

A

Access rights

118
Q

Nonstop service, with no lapse in service; the highest level of service in which no downtime is
allowed.

A

Continuous availability

119
Q

A standardized body of data created for testing purposes.

A

Base case

120
Q

An adversary that possesses sophisticated levels of expertise and significant resources which allow it
to create opportunities to achieve its objectives using multiple attack vectors (NIST SP800-
61).

A

Advanced persistent threat (APT)

121
Q

The senior executive responsible for managing the day-to-day operations of a company or other institution.

A

Chief Operating Officer (COO)

122
Q

An application service provider (ASP) that also provides outsourcing of business processes such as
payment processing, sales order processing and application development.

A

Business service provider (BSP)

123
Q

Reduction of signal strength during transmission

A

Attenuation

124
Q

______ is now used only as the acronym in its fifth iteration. A complete, internationally accepted framework for governing and managing enterprise information and technology (IT) that supports enterprise
executives and management in their definition and achievement of business goals and related IT
goals. _____ describes five principles and seven enablers that support enterprises in the
development, implementation, and continuous improvement and monitoring of good IT-related
governance and management practices

A

COBIT

125
Q

The ability to map a given activity or event back to the responsible party

A

Accountability

126
Q

The logical route that an end user takes to access computerized
information.<br></br><br></br><strong>Scope Notes: </strong>Typically includes a route through the
operating system, telecommunications software, selected application software and the access control
system.

A

Access path

127
Q

The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).

A

Bandwidth

128
Q

Locations and infrastructures from which emergency or backup processes are executed, when the
main premises are unavailable or destroyed.

A

Alternate facilities

129
Q

A software package that automatically plays, displays or downloads advertising material to a
computer after the software is installed on it or while the application is being
used.

A

Adware

130
Q

A holistic and business-oriented model that supports enterprise governance and management
information security, and provides a common language for information security professionals and
business management.

A

Business Model for Information Security (BMIS)

131
Q

Actions taken to limit exposure after an incident has been identified and confirmed

A

Containment

132
Q

A message kept in the web browser for the purpose of identifying users and possibly preparing
customized web pages for them

A

Cookie

133
Q

The individual who focuses on technical issues in an enterprise

A

Chief technology officer (CTO)

134
Q

The number of distinct locations that may be referred to with the machine address.

A

Address space

135
Q

A discussion document that sets out an “enterprise governance model” focusing strongly on both the
enterprise business goals and the information technology enablers that facilitate good enterprise
governance, published by the Information Systems Audit and Control Foundation in 1999.

A

Control Objectives for Enterprise Governance

136
Q

The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
A. generally accepted industry best practices.
B. business requirements.
C. legislative and regulatory requirements.
D. storage availability.

A

Answer : B
Explanation: The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided

137
Q

A code whose representation is limited to 0 and 1.

A

Binary code

138
Q

Information generated by an encryption algorithm to protect the plaintext and that is unintelligible to
the unauthorized reader.

A

Ciphertext

139
Q

_______ is a process of determining the dependency of a business on certain information resources.

A

Business dependency assessment

140
Q

An investigator of activities related to computer crime.

A

Cybercop

141
Q

The person usually responsible for all security matters both physical and digital in an enterprise

A

Chief Information Security Officer (CSO)

142
Q

An expenditure that is recorded as an asset because it is expected to benefit more than the current
period. The asset is then depreciated or amortized over the expected useful life of the asset

A

Capital expenditure/expense (CAPEX)

143
Q

A response in which the system either automatically, or in concert with the user, blocks or otherwise
affects the progress of a detected attack.

A

Active response

144
Q

Activities conducted in the name of security, business, politics or technology to find information that
ought to remain secret. It is not inherently military.

A

Cyberespionage

145
Q

The calendar can contain “real” accounting periods and/or adjusting accounting periods. The “real”
accounting periods must not overlap and cannot have any gaps between them. Adjusting accounting
periods can overlap with other accounting periods.

A

Adjusting period

146
Q

The individual responsible for identifying process requirements, approving process design and
managing process performance.

A

Business Process Owner

147
Q

Within computer storage, the code used to designate the location of a specific piece of data

A

Address

148
Q

System heavily fortified against attacks

A

Bastion

149
Q

A holistic and proactive approach to managing the transition from a current to a desired
organizational state, focusing specifically on the critical human or “soft” elements of
change

A

Change management

150
Q

A group of people integrated at the enterprise with clear lines of reporting and responsibilities for
standby support in case of an information systems emergency.This group will act as an efficient
corrective control, and should also act as a single point of contact for all incidents and issues related
to information systems.

A

Computer emergency response team (CERT)

151
Q

A plan used by an enterprise to respond to disruption of critical business processes. Depends on the
contingency plan for restoration of critical systems.

A

Business continuity plan (BCP)

152
Q

Occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

A

Buffer overflow

153
Q

The PRIMARY benefit of performing an information asset classification is to:
A. link security requirements to business objectives.
B. identify controls commensurate to risk.
C. define access rights.
D. establish ownership

A

Answer : B
Explanation: All choices are benefits of information classification. However, identifying controls that are proportional to the risk in all cases is the primary benefit of the process

154
Q

A transmission signal that varies continuously in amplitude and time and is generated in wave
formation.

A

Analog

155
Q

The act of verifying identity, i.e., user, system.

A

Authentication

156
Q

A technique of reading a computer file while bypassing the internal file/data set label. This process
could result in bypassing of the security access control system.

A

Bypass label processing (BLP)

157
Q

The person in charge of information security within the enterprise

A

Chief Information Security Officer (CISO)

158
Q

Members of the operations area who are responsible for the collection, logging and submission of
input for the various user groups.

A

Control Group

159
Q

Memory reserved to temporarily hold data to offset differences between the operating speeds of
different devices, such as a printer and a computer.

A

Buffer

160
Q

Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack?
A. An intrusion prevention system (IPS)
B. An intrusion detection system (IDS)
C. A host-based intrusion detection system (HIDS)
D. A host-based firewall

A

Answer : A
Explanation: SQL injection attacks occur at the application layer. Most IPS vendors will detect at least basic sets of SQL injection and will be able to stop them. IDS will detect, but not prevent I IIDS will be unaware of SQL injection problems. A host-based firewall, be it on the web server or the database server, will allow the connection because firewalls do not check packets at an application layer.

161
Q
The recovery point objective (RPO) requires which of the following?
A. Disaster declaration
B. Before-image restoration
C. System restoration
D. After-image processing
A

Answer : B
Explanation: The recovery point objective (RPO) is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Disaster declaration is independent of this processing checkpoint. Restoration of the system can occur at a later date, as does the return to normal, after-image processing.

162
Q

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
A. meet with stakeholders to decide how to comply.
B. analyze key risks in the compliance process.
C. assess whether existing controls meet the regulation.
D. update the existing security/privacy policy.

A

Answer : C
Explanation: If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.

163
Q

Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
A. Regular review of access control lists
B. Security guard escort of visitors
C. Visitor registry log at the door
D. A biometric coupled with a PIN

A

Answer : A
Explanation: A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy. Visitors accompanied by a guard will also provide assurance but may not be cost effective. A visitor registry is the next cost-effective control. A biometric coupled with a PIN will strengthen the access control; however, compliance assurance logs will still have to be reviewed

164
Q
Who is responsible for ensuring that information is categorized and that specific protective measures are taken?
A. The security officer
B. Senior management
C. The end user
D. The custodian
A

Answer : B
Explanation: Routine administration of all aspects of security is delegated, but top management must retain overall responsibility. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed.

165
Q

An organization’s information security manager has been asked to hire a consultant to help assess the maturity level of the organization’s information security management. The MOST important element of the request for proposal (RIP) is the:
A. references from other organizations.
B. past experience of the engagement team.
C. sample deliverable.
D. methodology used in the assessment

A

Answer : D
Explanation: Methodology illustrates the process and formulates the basis to align expectations and the execution of the assessment. This also provides a picture of what is required of all parties involved in the assessment. References from other organizations are important, but not as important as the methodology used in the assessment. Past experience of the engagement team is not as important as the methodology used. Sample deliverable s only tell how the assessment is presented, not the process.

166
Q

Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?
A. Daily
B. Weekly
C. Concurrently with O/S patch updates
D. During scheduled change control updates

A

Answer : A
Explanation: New viruses are being introduced almost daily. The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur. Patches may occur less frequently. Weekly updates may potentially allow new viruses to infect the system.

167
Q

Which of the following would be the MOST significant security risk in a pharmaceutical institution?
A. Compromised customer information
B. Unavailability of online transactions
C. Theft of security tokens
D. Theft of a Research and Development laptop

A

Answer : D
Explanation: The research and development department is usually the most sensitive area of the pharmaceutical organization, Theft of a laptop from this area could result in the disclosure of sensitive formulas and other intellectual property which could represent the greatest security breach. A pharmaceutical organization does not normally have direct contact with end customers and their transactions are not time critical: therefore, compromised customer information and unavailability of online transactions are not the most significant security risks. Theft of security tokens would not be as significant since a pin would still be required for their use.

168
Q

Who should be responsible for enforcing access rights to application data?

a. Data Owners
b. Business process owners
c. The security steering committee
d. Security Administrators

A

Answer: D
As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for
approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement